Fix out-of-bounds read, potential heap buffer overflow, and other CVEs

Bug #1693893 reported by pcworld
270
This bug affects 3 people
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
Fix Released
Undecided
Simon Quigley
Trusty
Fix Released
Undecided
Simon Quigley
Xenial
Fix Released
Undecided
Simon Quigley
Zesty
Fix Released
Undecided
Simon Quigley
Artful
Fix Released
Undecided
Simon Quigley

Bug Description

This bug is meant to track the following public VLC CVEs and their status in Ubuntu. Here are the affected Ubuntu releases and the CVEs that affect that specific release:

- Trusty:
  - 2016-5108
  - 2017-8310
  - 2017-8311
  - 2017-8312
  - 2017-8313
  - Not applicable to this version:
    - 2017-10699

- Xenial:
  - 2016-5108
  - 2017-10699
  - 2017-8310
  - 2017-8311
  - 2017-8312
  - 2017-8313

- Zesty:
  - 2017-10699
  - 2017-8310
  - 2017-8311
  - 2017-8312
  - 2017-8313
  - Already fixed in the package:
    - 2016-5108

- Artful:
  - 2017-10699
  - Already fixed in the package:
    - 2016-5108
    - 2017-8310
    - 2017-8311
    - 2017-8312
    - 2017-8313

pcworld (pcworld)
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in vlc (Ubuntu):
status: New → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: Possible remote code execution related to subtitles

Hello pcworld, if you have the time to tackle this update please do note that there may be other issues still open:

http://people.canonical.com/~ubuntu-security/cve/pkg/vlc.html

Thanks

Simon Quigley (tsimonq2)
Changed in vlc (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Simon Quigley (tsimonq2)
Changed in vlc (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in vlc (Ubuntu Zesty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in vlc (Ubuntu Xenial):
status: New → In Progress
Changed in vlc (Ubuntu Zesty):
status: New → In Progress
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Here's a patch applicable to version 2.2.2-5ubuntu0.16.04.2 in Xenial. I have built it with no problems in ppa:tsimonq2/vlc-bug-1693893 and I have tested it on a fully updated Lubuntu 16.04.2 installation (it works completely fine).

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Urgh, I attached a completely unrelated file from another directory... apologies, here's the ACTUAL file applicable to 2.2.2-5ubuntu0.16.04.2.

description: updated
summary: - Possible remote code execution related to subtitles
+ Fix out-of-bounds read, potential heap buffer overflow, and other CVEs
Simon Quigley (tsimonq2)
description: updated
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Zesty applicable to 2.2.4-14ubuntu2.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Er, here's the right one.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Here's a patch for Artful applicable to 2.2.6-2.

I have been testing this on my own system for the past hour and it works completely fine.

description: updated
description: updated
Simon Quigley (tsimonq2)
Changed in vlc (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 2.2.2-5ubuntu0.16.04.3

---------------
vlc (2.2.2-5ubuntu0.16.04.3) xenial-security; urgency=high

  * SECURITY UPDATE: reject invalid QuickTime IMA files (LP: #1693893)
    - fix-CVE-2016-5108.patch
    - CVE-2016-5108
  * SECURITY UPDATE: Crash due to Out-of-Bound Heap Memory Write
    - fix-CVE-2017-10699.patch
    - CVE-2017-10699
  * SECURITY UPDATE: Fix potential out of bound reads
    - fix-CVE-2017-8310.patch
    - CVE-2017-8310
  * SECURITY UPDATE: Fix invalid double increment
    - fix-CVE-2017-8311.patch
    - CVE-2017-8311
  * SECURITY UPDATE: Fix potential heap buffer overflow
    - fix-CVE-2017-8312.patch
    - CVE-2017-8312
  * SECURITY UPDATE: ParseJSS: fix out-of-bounds read
    - fix-CVE-2017-8313.patch
    - CVE-2017-8313

 -- Simon Quigley <email address hidden> Fri, 07 Jul 2017 06:54:34 -0500

Changed in vlc (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 2.2.4-14ubuntu2.1

---------------
vlc (2.2.4-14ubuntu2.1) zesty-security; urgency=high

  * SECURITY UPDATE: Crash due to Out-of-Bound Heap Memory Write (LP: #1693893)
    - fix-CVE-2017-10699.patch
    - CVE-2017-10699
  * SECURITY UPDATE: Fix potential out of bound reads
    - fix-CVE-2017-8310.patch
    - CVE-2017-8310
  * SECURITY UPDATE: Fix invalid double increment
    - fix-CVE-2017-8311.patch
    - CVE-2017-8311
  * SECURITY UPDATE: Fix potential heap buffer overflow
    - fix-CVE-2017-8312.patch
    - CVE-2017-8312
  * SECURITY UPDATE: ParseJSS: fix out-of-bounds read
    - fix-CVE-2017-8313.patch
    - CVE-2017-8313

 -- Simon Quigley <email address hidden> Sun, 09 Jul 2017 22:37:06 -0500

Changed in vlc (Ubuntu Zesty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 2.2.6-2ubuntu1

---------------
vlc (2.2.6-2ubuntu1) artful; urgency=high

  * SECURITY UPDATE: Crash due to Out-of-Bound Heap Memory Write (LP: #1693893)
    - fix-CVE-2017-10699.patch
    - CVE-2017-10699

 -- Simon Quigley <email address hidden> Mon, 10 Jul 2017 01:33:27 -0500

Changed in vlc (Ubuntu Artful):
status: In Progress → Fix Released
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Trusty applicable to 2.1.6-0ubuntu14.04.2.

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 2.1.6-0ubuntu14.04.3

---------------
vlc (2.1.6-0ubuntu14.04.3) trusty-security; urgency=high

  * SECURITY UPDATE: reject invalid QuickTime IMA files (LP: #1693893)
    - fix-CVE-2016-5108.patch
    - CVE-2016-5108
  * SECURITY UPDATE: Fix potential out of bound reads
    - fix-CVE-2017-8310.patch
    - CVE-2017-8310
  * SECURITY UPDATE: Fix invalid double increment
    - fix-CVE-2017-8311.patch
    - CVE-2017-8311
  * SECURITY UPDATE: Fix potential heap buffer overflow
    - fix-CVE-2017-8312.patch
    - CVE-2017-8312
  * SECURITY UPDATE: ParseJSS: fix out-of-bounds read
    - fix-CVE-2017-8313.patch
    - CVE-2017-8313

 -- Simon Quigley <email address hidden> Mon, 10 Jul 2017 22:59:26 -0500

Changed in vlc (Ubuntu Trusty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.